User Login      + Register  

HowTo Nextcloud  SecureOffice  xoops  29-Nov-2020 17:20  0  270 reads

Table_of_Contents

1      NextCloud

1.1                NextCloud Pre-Requisites

1.2                Configure NextCloud

1.3                Start Nextcloud Container

1.4                Enable NextCloud Public Internet Access

1.5                Personalize NextCloud

1.6                Configure Email

1.7                Add NextCloud Users

1.8                NextCloud Client Applications

1.9                Determine Files to Share

2      NextCloud Applications

2.1                NextCloud Talk

2.1.1      Turn Server

2.1.2      Make a Test Call

2.1.3      NextCloud Talk Clients

2.2                Other NextCloud Applications

3      NextCloud Backup / Restore

List of Figures

Figure 1:       NextCloud Configuration

Figure 2:       NextCloud Login

Figure 3:       NextCloud Start Page

Figure 4:       Nextcloud Virtual Domain

Figure 5:      NextCloud Talk Session

1      NextCloud

The importance of protecting YOUR information and communications from third parties (including cloud providers) and limiting access to those you trust cannot be overstated. This means self-hosted file share / sync and communications services. This makes your information inaccessible to for example border snoops, examining your devices, casing your joint. Disable access (VPN, logout, etc) on your client devices prior to crossing borders. Re-enable access once across the border. The premium application for this is NextCloud (! Follow link).

Nextcloud Talk (secure multi-party videoconference, chat and screen sharing application) is a very useful application for group collaboration.

This documentation is primarily concerned with basic NextCloud installation on SecureOffice. Given the large number of applications and usage scenarios, it is impractical to document it all. There is a wealth of NextCloud documentation, HowTo's on the internet for fine tuning your installation.

Once NextCloud is installed and configured for SecureOffice, it is a standard installation and, all nextcloud documentation regarding adding features, configuration and usage may be used.

1.1                NextCloud Pre-Requisites

NextCloud and some dependencies are custom packages, requiring a subscription to the SecureOffice custom package repository for installation. A valid license for the Docker premium package is also required. Instructions for docker installation.

During installation, docker-nextcloud automatically adapts to your network configuration. This includes nextcloud and Nginx (web server) configuration. The following network configuration must be complete prior to installing docker-nextcloud, otherwise, Nextcloud docker and Nginx configuration must be altered to accommodate:

The NextCloud docker image requires database support. The image, by default (no configuration) internally uses mysql, which has poor performance. The default SecureOffice configuration of NextCloud uses the postgresql database, which is automatically installed and configured as a dependency of docker-nextcloud.

To install NextCloud, at a command prompt, enter:"opkg update; opkg install docker-nextcloud".

1.2                Configure NextCloud

The default docker configuration file "/etc/config/docker/nextcloud" is shown below. It must be altered for your environment before first NextCloud run, otherwise, the container must be fully removed and re-installed to change the configuration. This is because the included environment variables are only used during first run of the image to create internal configuration. Additional environment variables (such as optional email settings) take effect at each run.

Further information regarding NextCloud image configuration / usage can be found in the nextcloud configuration guide.

# Reference: https://docs.docker.com/engine/reference/commandline/run/

# or: docker run --help

# Images ('option image') are from from https://hub.docker.com

# 'option xxxx' are single options, cannot be repeated

# 'list xxxx' are options that can be repeated multiple times

# Cannot have spaces in list parameters, replace with ',', replaced with ' ' by init script

# Multiple container sections supported

 

config container 'nextcloud' # Arbitrary container name

option enable '0' # '0' or '1'

option image 'nextcloud :20.0.4-apache' # From docker hub

option hostname 'nextcloud' # DNS name for host (ping hostname)

option run_cmd '' # Command for image to run at startup

option run_cmd_args '' # Arguments for image startup command

list ports "8080:80" # Port mapping (-p <host port>:<container port>)

list links '' # Other images to link (--link <other image name>)

# Environment variables for image (-e <VAR=VALUE)

# These variables are only used for initial image install

# To change them (a) remove container, start fresh or

# (b) alter /home/data/docker_data/nextcloud/config/config.php (mapped nextcloud directory)

list env 'POSTGRES_PASSWORD=postgres'

list env 'POSTGRES_USER=postgres'

list env 'POSTGRES_DB=nextcloud'

list env 'POSTGRES_HOST=<your_lan_address>'

list env 'NEXTCLOUD_ADMIN_USER=admin'

list env 'NEXTCLOUD_ADMIN_PASSWORD=admin_54321'

list env 'NEXTCLOUD_TRUSTED_DOMAINS="<your_lan_base_address>.*,nextcloud.<your domain_name>"'

# Quote TRUSTED_PROXIES with '|', since double '""' quotes mess up

list env 'TRUSTED_PROXIES=|<your_lan_base_address>/24,nextcloud.<your domain_name>|'

# End install variables

# Directory mapping (-v <host directory>:<container directory>)

list volume '/home/data/docker_data/nextcloud:/var/www/html'

list parms '' # Extra parameters, verbatim as expected by 'docker run'

option log_stderr '0' # Log container stderr to syslog

option log_stdout '0' # Log container stdout to syslog

Figure 1: NextCloud Configuration

Using the nano editor ("nano /etc/config/docker/nextcloud"), alter the following values, then save the file:

  • "enable '1'" to enable container.
  • "hostname": the image internal and external (to SecureOffice) DNS name of the container. Leave at default.
  • "ports": Leave at default, or comment ('#'), depending how the container will be accessed (Nginx, reverse proxy). These are the port mappings for the image. To access the image at localhost, use "127.0.0.1:8080" or "<LAN address>:8080". See "Nginx Configuration" for further details.
  • "POSTGRES_PASSWORD", "POSTGRES_USER": Leave at defaults unless you changed them.
  • "NEXTCLOUD_ADMIN_USER", "NEXTCLOUD_ADMIN_PASSWORD": These should be changed to your unique user ID and a strong, hard to guess password.
  • "NEXTCLOUD_TRUSTED_DOMAINS": Leave at defaults unless you changed LAN address or image name. Change per your LAN address and image name. These values determine valid addresses (security) for accessing the container.
  • "TRUSTED_PROXIES": Allows Nextcloud to be proxied by Nginx or any server on local LAN. Suggest leave at default.
  • The "volume"settings are to map external filesystem to internal nextcloud container directories, providing persistent storage for data and configuration. This allows the container to be updated without losing settings or configuration. It is strongly recommended not to change these.
  • The "log_stderr" and "log_stdout"settings are used for debug. Setting them to '1' will log to SecureOffice syslog. This is recommended for first run, until configuration is complete to debug any errors. To monitor container startup messages, enter "logread -f | grep docker" at a command prompt.
  • Leave all other settings at default values.

Note that NextCloud internal persistent configuration files ("/home/data/docker_data/nextcloud/*") are available (file browser from device on SecureOffice LAN) at "\\<SecureOffice LAN address>/Dockers/nextcloud".

1.3                Start Nextcloud Container

Enable and start the docker daemon: At a command prompt, enter: "/etc/init.d/dockerd enable; /etc/init.d/dockerd start; /etc/init.d/docker/enable; /etc/init.d/docker start".

At first run, it will take some time for docker to download and configure the NextCloud container. Assuming the log_std* configuration values were set to '1', progress can be viewed (console) by entering "logread -f | grep docker". A successful run will contain: "Command line: apache2 -D FOREGROUND", else some error message which must be debugged before proceeding. Enter CTRL+c (together) to exit logread. Enter "ping nextcloud" to confirm the container is communicating.

At this point, NextCloud can only be accessed from your local LAN at addresses: "http://<LAN address>:8080" or "http://nextcloud" (no https for either) or from the OpenWrt menu at "Services->Nextcloud". Using a browser from a PC on your LAN, enter one of the previous addresses. After a long wait (for initial NextCloud download / install) you should see the NextCloud login page, below:

Figure 2: NextCloud Login

Login to NextCloud with the username and password configured above. Scroll through or dismiss ("X" in top right-hand corner) the introduction. You should see the NextCloud start page, below:

Figure 3: NextCloud Start Page

If satisfied with private NextCloud access from local LAN only (perhaps over VPN), skip the following public access section and proceed to personalize nextcloud.

1.4                Enable NextCloud Public Internet Access

At installation, NextCloud is automatically configured for private (clients on local LAN only) network access as a Nginx virtual host by Nginx configuration file "/etc/nginx/vhosts/nextcloud" installed as part of the docker-nextcloud package. If intending to use the NextCloud Talk application (secure videoconferencing, screen sharing and chat), public internet access is required for users to participate in conference calls unless all clients connect to your server using VPN.

There are serious security considerations for public internet access. It is far more secure to remotely access NextCloud using SecureOffice VPN Server which allows remote access clients to appear as local clients.

The general approach (and pre-requisites) for serving a site at a dedicated domain is in the Nginx HowTo documentation.

Assuming the prerequisites such as domain, DNS, SSL certificates were met prior to docker-nextcloud installation, the values "<your LAN address>" and "<your domain name>" were automatically set by Nextcloud installation.

To enable public NextCloud access, comment (insert "#") or delete the "allow" and "deny" lines in the "/etc/nginx/vhosts/nextcloud" configuration file, shown below:

Nextcloud will be publicly accessible at "https://nextcloud.<your domain>". Be aware there are security implications for NextCloud public access. Use strong, hard to guess passwords for clients. Check the nextcloud security documentation for possible precautions, many of which are already done.

server {

listen 443;

listen [::]:443;

server_name nextcloud.<your domain name>;

add_header X-Frame-Options "ALLOW-FROM https://<your LAN address>/ https://$server_name/";

add_header Content-Security-Policy "frame-ancestors 'self' https://<your LAN address> https://$server_name/";

location / {

# Comment "#" following lines to allow internet access

# Otherwise, nextcloud only accessible from local LAN

allow 192.168.0.0/16;

allow 172.16.0.0/12;

allow 10.0.0.0/8;

allow 127.0.0.0/8;

deny all;

# End lines to comment

# Set all cookies to secure, httponly and samesite (strict,lax or none)

# Need Nginx 1.19.3+ for proxy_cookie_flags

proxy_cookie_flags ~ secure httponly samesite=none;

proxy_hide_header X-Frame-Options;

proxy_hide_header Content-Security-Policy;

proxy_pass http://<your LAN address>:8080;

proxy_set_header Host $host;

proxy_redirect http:// https://;

proxy_http_version 1.1;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

}

Figure 4: Nextcloud Virtual Domain

Note: NextCloud is http only and Nginx is converting http to https and the converse.

Restart nginx: "/etc/init.d/nginx restart; rm -rf /var/luci-*" at a command prompt for the changes to take effect.

Enter "https://nextcloud.<yourdomain without https>" in a web browser. If all is well, you will see the NextCloud login page (Figure 2). Login and, you should see Figure 3.

If all is not well, enable NextCloud logging "log_std* '1'", restart nextcloud ("/etc/init.d/docker stop; /etc/init.d/docker start"), enter "logread -f | grep docker" (to watch for error messages) and try to access NextCloud again. Enter CTRL+c (together) to exit logread. Fix any errors.

1.5                Personalize NextCloud

After logging into NextCloud, click on "Set Location For Weather". Choose autodetect or enter your address.

Click on the user icon (top right of page, should be first letters of your user name), select settings. Set the following values (all optional):

  • Profile picture
  • Email address (recommended, to receive notifications)
  • Phone Number
  • Address
  • Website
  • Twitter
  • Language
  • Locale

1.6                Configure Email

Nextcloud is can send password reset emails, notify users of new file shares, changes in files, and activity notifications. Users configure which notifications they want to receive on their personal pages.

NextCloud connects to your existing mail server. You must have an active mail server for NextCloud to be able to send emails. The mail server may be on the same machine as NextCloud, or it may be a remote server (such as google mail).

If you want newly added users to receive a welcome email with further instructions, configure email before adding any users.

From the NextCloud main page, click the user icon (top right of page, should be first letters of your user name), select "Basic Settings", follow the NextCloud email configuration guide to setup and test email functionality.

1.7                Add NextCloud Users

Click on the user icon (top right of page, should be first letters of your user name), select "Users".

If the user is not an administrator (limited access), create a "User" group. Click on "Add Group" and enter a group name, click on the arrow to add the group.

Click on "New User" (top left of page). Enter the following values:

  • User Name
  • Display Name
  • Password
  • Email
  • Select group for user

Newly added users will receive a welcome email with further instructions for setting up their profile.

If NextCloud is to be used for collaboration on projects, create a group for each project and add project users for each project.

1.8                NextCloud Client Applications

In addition to browser access, NextCloud provides Clients for desktop (Windows, macOS, Linux) and mobile devices (Android, iOS). It is not recommended (performance) to access NextCloud using mobile browsers. Choose clients of interest and install them on your devices.

NextCloud client applications allow file sync between your NextCloud server and client devices, plus provide notifications of events such as new files, incoming call invites and messaging mentions.

1.9                Determine Files to Share

Files can be shared and synced (between devices) publicly (everyone), with group members or individual members or private (not shared). Consult the NextCloud file sharing documentation.

It is useful to synchronize photos / videos from mobile devices to NextCloud to handle events such as police seizing camera footage in futile attempts to suppress / spin acts of public protest, etc.

File sync from mobile devices also means that you do not lose your data if your device is lost, stolen or breaks.

2      NextCloud Applications

2.1                NextCloud Talk

NextCloud Talk (watch the demo video) is a totally secure, self-hosted (no third-party servers snooping on your communications) multi-party video conferencing, screen sharing and chat application equivalent to Google Meet.

To install NextCloud Talk, from the main NextCloud page, select your user icon (top right), select "Apps", scroll down to "Talk", select "Download and Enable". After the Talk icon changes to "Disable", return to the main page.

An example NextCloud Talk session is shown below (bad hair day):

Figure 5:NextCloud Talk Session

2.1.1      Turn Server

If NextCloud has been configured for public internet access (Nginx), a Turn Server is required to allow media streams to traverse firewalls. SecureOffice provides Coturn, a combination Stun / Turn server for firewall traversal. If all clients are connected via SecureOffice VPN (all clients on local LAN), no Turn server is required.

To install Coturn, enter "opkg install coturn". Coturn is automatically configured during install.

NextCloud Talk must be configured to use coturn. From the NextCloud main page, click on your user icon (top right), select "Settings". On the left, scroll down to and select "Talk".

Scroll down to "Stun Servers". Enter "<your domain name without www>:3478". Example: "example.com:3478"

Scroll down to "Turn Servers", select "+" to add a server. Enter "<your domain name>:3478" in the server field. Example: "example.com:3478"

Using a SSH session to SecureOffice, enter "cat /etc/turnserver.conf | grep static-auth-secret=". Copy the value (example: "d9d85894ff0724b00f021c7ea717b2feba7bde3f359ce9dc490bb00001e550cc") and paste it into the NextCloud Turn Server "secret" field. The "static-auth-secret" value was randomly created at coturn install and is part of the NextCloud / coturn authentication mechanism.

The Turn server listening port (example: 3478, tcp, udp) must be opened on the SecureOffice firewall.

2.1.2      Make a Test Call

To verify firewall traversal, three PC's (you and two friends at separate internet addresses with email addresses) are required. Each PC must have configured camera, audio input and output devices.

Optional: Add your two friends as users.

From the NextCloud main page, select "Talk" ("Q" icon).

  • In the upper left corner of the Talk page is a "Search conversations or users" text box.
  • An existing conversation name can be entered to select a previous conversation and participants.
  • Existing user names can be entered to start a conversation between you and the selected user
  • Selecting the "+" icon will create a new conservation with you as the sole participant.
  • While within a conversation, other participants can be added to the conversation by selecting "Participants", entering a user, group name or email address in the text box. New participants will receive an invite email with a link to join the conversation. All participants will be prompted (by their browser) for permission to use their microphone and camera. While within a conversation, participants can mute their video or microphone. Any participant can send a text message to specific or all or any participants. Any user can screen share for group collaboration.

2.1.3      NextCloud Talk Clients

NextCloud does not provide a desktop talk client. Instead, the NextCloud desktop client provides notifications of NextCloud events such as incoming talk call and mentions in messages. Selecting the event notification opens your browser to the webpage containing the event of interest.

NextCloud clients (including Talk) are available for Android and iOS. Due to mobile browser performance limitations, it is important to use mobile clients for NextCloud Talk.

2.2                Other NextCloud Applications

NextCloud has many other applications such as phone / device trackers, collaboration apps, contact managers, schedule managers, email, password and bookmark managers, etc. A full list is available here.

3      NextCloud Backup / Restore

Due to shared files, the amount of NextCloud data can become quite large, beyond the ability of OpenWrt (web GUI) backup to handle. SecureOffice provides an alternate automatic mechanism for backing up large amounts of data. This is essentially a cron job performing a periodic backup integrated with the normal backup process. Details are documented in Backup / Restore Large Amounts of Data.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team